When using secret key based algorithms, a fault injection protection mechanism may be required. Such a mechanism is a secure way to protect the secret key against differential fault analysis related to key manipulation. Differential fault analysis is a cryptographic attack that forces transient hardware faults and resulting computational errors, such as during execution of a key scheduling algorithm or of a last encryption round, in order to extract cryptographic key information. This fault analysis is applicable to both public key and secret key cryptosystems, including tamper-resistant devices on smart cards. For example, Eli Biham and Adi Shamir, in “Differential Fault Analysis of Secret Key Cryptosystems”, Advances in Cryptology—CRYPTO '97, LNCS 1294, pp. 513-525 (Springer-Verlag, 1997), describe differential fault analysis attacks upon DES-like ciphers.
Currently available protection mechanisms are implemented off-line and are not suitable for all applications. For example, existing mechanisms would not offer protection to session keys, which are generated as needed rather than in advance.
Hagai Bar-El et al., in “The Sorcerer's Apprentice Guide to Fault Attacks”, Discretix Technologies White Paper, given at Workshop on Fault Detection and Tolerance in Cryptography, Florence Italy, 30 Jun. 2004 (Cryptology ePrint Archive (eprint.iacr.org) Report 2004/100; also, CiteSeer article 705084), describe various methods or implementing, such fault attacks on electronic cryptographic circuits, and suggest a number of countermeasures. The countermeasures mainly involve introducing redundancy in which operations are recomputed and the results compared, on the assumption that identical faults cannot be replicated. The resulting system is admitted to be slower and less efficient, but that is conceded to be part of the cost of security.
More efficient countermeasures for protecting secret key integrity are sought.